From dc7008d9a5b72fdd256dd0e5813b9e5fdf14e734 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Thu, 26 Jul 2018 14:05:54 -0500 Subject: [PATCH] Keystone: enable external access to admin endpoint This PS moves to use port 80 by default for the keystone asdmin endpoint, and adjusts paths accordingly. Change-Id: Iccae704dadc17eba269e857301654782f64763c9 Signed-off-by: Pete Birley --- barbican/values.yaml | 3 +- ceilometer/values.yaml | 3 +- ceph-client/values.yaml | 3 +- cinder/values.yaml | 3 +- congress/values.yaml | 3 +- glance/values.yaml | 3 +- gnocchi/values.yaml | 3 +- heat/values.yaml | 3 +- ironic/values.yaml | 3 +- keystone/templates/deployment-api.yaml | 10 +++++-- .../templates/etc/_wsgi-keystone.conf.tpl | 29 ++++++++++++++++--- keystone/templates/service-api.yaml | 24 ++++++++------- keystone/values.yaml | 4 ++- magnum/values.yaml | 3 +- mistral/values.yaml | 3 +- neutron/values.yaml | 3 +- nova/values.yaml | 3 +- rally/values.yaml | 3 +- senlin/values.yaml | 3 +- tempest/values.yaml | 3 +- tools/deployment/common/setup-client.sh | 2 +- 21 files changed, 82 insertions(+), 35 deletions(-) diff --git a/barbican/values.yaml b/barbican/values.yaml index 5bbe35eb00..8837d90674 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -546,12 +546,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 key_manager: name: barbican hosts: diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index 7d43bc673b..a59ecbb527 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -1707,12 +1707,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: 'http' port: api: default: 80 - admin: 35357 metering: name: ceilometer hosts: diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml index 4617aea1fa..88d8b12990 100644 --- a/ceph-client/values.yaml +++ b/ceph-client/values.yaml @@ -451,12 +451,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 object_store: name: swift namespace: null diff --git a/cinder/values.yaml b/cinder/values.yaml index 48205228ad..cbaf15408b 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1070,12 +1070,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 image: name: glance hosts: diff --git a/congress/values.yaml b/congress/values.yaml index ded5e50347..581d73e61b 100644 --- a/congress/values.yaml +++ b/congress/values.yaml @@ -245,12 +245,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 policy: name: congress hosts: diff --git a/glance/values.yaml b/glance/values.yaml index f6694a1107..378ff0fda0 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -575,12 +575,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 image: name: glance hosts: diff --git a/gnocchi/values.yaml b/gnocchi/values.yaml index a83009220b..b4c6607802 100644 --- a/gnocchi/values.yaml +++ b/gnocchi/values.yaml @@ -486,12 +486,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: 'http' port: api: default: 80 - admin: 35357 metric: name: gnocchi hosts: diff --git a/heat/values.yaml b/heat/values.yaml index d0401aacb7..3f26f116f0 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -812,12 +812,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: 'http' port: api: default: 80 - admin: 35357 orchestration: name: heat hosts: diff --git a/ironic/values.yaml b/ironic/values.yaml index 1faa575e3e..27da1520fd 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -400,12 +400,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 baremetal: name: ironic hosts: diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index b4825ec006..f5fad6e984 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -65,15 +65,19 @@ spec: - /tmp/keystone-api.sh - stop ports: + {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- $portAdm := tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - name: ks-pub - containerPort: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + containerPort: {{ $portInt }} + {{- if not ( eq $portInt $portAdm ) }} - name: ks-adm - containerPort: {{ tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + containerPort: {{ $portAdm }} + {{- end }} readinessProbe: httpGet: scheme: HTTP path: / - port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + port: {{ $portInt }} initialDelaySeconds: 15 periodSeconds: 10 volumeMounts: diff --git a/keystone/templates/etc/_wsgi-keystone.conf.tpl b/keystone/templates/etc/_wsgi-keystone.conf.tpl index 12079808d8..878d364fbe 100644 --- a/keystone/templates/etc/_wsgi-keystone.conf.tpl +++ b/keystone/templates/etc/_wsgi-keystone.conf.tpl @@ -14,8 +14,13 @@ See the License for the specific language governing permissions and limitations under the License. */}} -Listen 0.0.0.0:{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} -Listen 0.0.0.0:{{ tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $portAdm := tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + +Listen 0.0.0.0:{{ $portInt }} +{{- if not ( eq $portInt $portAdm ) }} +Listen 0.0.0.0:{{ $portAdm }} +{{- end }} LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy @@ -24,7 +29,7 @@ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded - + WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public @@ -40,7 +45,8 @@ CustomLog /dev/stdout proxy env=forwarded CustomLog /dev/stdout proxy env=forwarded - +{{- if not ( eq $portInt $portAdm ) }} + WSGIDaemonProcess keystone-admin processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-admin @@ -55,6 +61,21 @@ CustomLog /dev/stdout proxy env=forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded +{{- else }} +WSGIDaemonProcess keystone-admin processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} +WSGIProcessGroup keystone-admin +WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-admin +WSGIApplicationGroup %{GLOBAL} +WSGIPassAuthorization On += 2.4> + ErrorLogFormat "%{cu}t %M" + +ErrorLog /dev/stderr + +SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded +CustomLog /dev/stdout combined env=!forwarded +CustomLog /dev/stdout proxy env=forwarded +{{- end }} Alias /identity /var/www/cgi-bin/keystone/keystone-wsgi-public diff --git a/keystone/templates/service-api.yaml b/keystone/templates/service-api.yaml index 3c0dbe9a6f..717cf0f3f3 100644 --- a/keystone/templates/service-api.yaml +++ b/keystone/templates/service-api.yaml @@ -23,16 +23,20 @@ metadata: name: {{ tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} spec: ports: - - name: ks-pub - port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{ if .Values.network.api.node_port.enabled }} - nodePort: {{ .Values.network.api.node_port.port }} - {{ end }} - - name: ks-adm - port: {{ tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{ if .Values.network.admin.node_port.enabled }} - nodePort: {{ .Values.network.admin.node_port.port }} - {{ end }} + {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- $portAdm := tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - name: ks-pub + port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{ if .Values.network.api.node_port.enabled }} + nodePort: {{ .Values.network.api.node_port.port }} + {{ end }} + {{- if not ( eq $portInt $portAdm ) }} + - name: ks-adm + port: {{ tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{ if .Values.network.admin.node_port.enabled }} + nodePort: {{ .Values.network.admin.node_port.port }} + {{ end }} + {{- end }} selector: {{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ if or (.Values.network.api.node_port.enabled) (.Values.network.admin.node_port.enabled) }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 5e72c58a8b..cb5a121804 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -915,6 +915,7 @@ endpoints: hosts: default: keystone-api public: keystone + admin: keystone host_fqdn_override: default: null # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public @@ -926,12 +927,13 @@ endpoints: # key: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 oslo_db: namespace: null auth: diff --git a/magnum/values.yaml b/magnum/values.yaml index c0f008e3b4..2f52f234c6 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -358,12 +358,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 container_infra: name: magnum hosts: diff --git a/mistral/values.yaml b/mistral/values.yaml index c2f26c5046..99bf6bac28 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -242,12 +242,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 workflowv2: name: mistral hosts: diff --git a/neutron/values.yaml b/neutron/values.yaml index 5be8ea152e..db3fa0760b 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -1776,12 +1776,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 network: name: neutron hosts: diff --git a/nova/values.yaml b/nova/values.yaml index 2f39184509..84e753aef1 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1395,12 +1395,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 image: name: glance hosts: diff --git a/rally/values.yaml b/rally/values.yaml index f93ceb167a..345df13c69 100644 --- a/rally/values.yaml +++ b/rally/values.yaml @@ -255,12 +255,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 benchmark: name: rally hosts: diff --git a/senlin/values.yaml b/senlin/values.yaml index 2ed1b609ad..04e78bdc77 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -407,12 +407,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 clustering: name: senlin hosts: diff --git a/tempest/values.yaml b/tempest/values.yaml index 9a922692ec..58ea165cff 100644 --- a/tempest/values.yaml +++ b/tempest/values.yaml @@ -250,12 +250,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 manifests: configmap_bin: true diff --git a/tools/deployment/common/setup-client.sh b/tools/deployment/common/setup-client.sh index 400c5b62b7..73a3e1d2cf 100755 --- a/tools/deployment/common/setup-client.sh +++ b/tools/deployment/common/setup-client.sh @@ -32,7 +32,7 @@ clouds: project_name: 'admin' project_domain_name: 'default' user_domain_name: 'default' - auth_url: 'http://keystone.openstack.svc.cluster.local/v3' + auth_url: 'http://keystone.openstack.svc.cluster.local/identity/v3' EOF #NOTE: Build charts